[b[Summary[/b]
mIRC provides scripting capabilities to allow extension of the client. A flaw exists in the $asctime identifier, which is used to format UNIX style time stamps. Passing a string of sufficient length to $asctime will cause a buffer overflow on the stack. This allows the execution of byte code through calling $asctime with a carefully constructed string.
The default script included with mIRC does not call $asctime at any point. However the majority of major scripts available for download call $asctime to decode data provided by the IRC server. Many scripts call $asctime on data provided from other remote sources. The exploitation of this flaw therefore depends on the script installed by the victim.

Impact
Low to high, a vanilla installation of mIRC does not contain any attack vector to allow a remote compromise. However many scripts introduce an attack vector allowing arbitrary code execution through exploitation of this flaw.

Vendor Response
Vendor was informed on the 30/7/2002, along with being provided the proof of concept code. mIRC 6.03 was released on the 16/08/02 that includes a fix for this issue. No response was sent to James. It is worth noting that the vendor has not made any effort to inform its userbase of this flaw or the flaw in versions prior to 6.0 which was released earlier this year. As a result a large number of users have not upgraded, of course its difficult to make all users upgrade but vendor recognition is a big factor.

Using a rather rough method James performed mass CTCP VERSION'S on several major channels, located on a number of networks. Around 30% of users seem still run mIRC 5.91 or lower. About 60% are using mIRC 6.00-6.02.

A number of major scripts currently advise users not to upgrade to mIRC 6.00 or later as they do not work on the new version. Hence, users of these scripts are not being encouraged to upgrade. Vendor acknowledgement of the flaws in James's opinion would help persuade the maintainers of these scripts to take actions that are more aggressive.